firefox140: update to 140.10.1
Mozilla Foundation Security Advisory 2026-36
Security Vulnerabilities fixed in Firefox ESR 140.10.1
Announced
April 28, 2026
Impact
high
Products
Firefox ESR
Fixed in
Firefox ESR 140.10.1
#CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component
Reporter
Xuehao Guo
[45 lines not shown]
dasel: update to 3.8.1.
install man pages and shell completion
## [v3.8.1] - 2026-04-30
- `dasel man` now generates a reproducible manpage based on [SOURCE_DATE_EPOCH](https://reproducible-builds.org/specs/source-date-epoch).
sysutils/upower: update to 1.91.2
# upstream changes (since 1.90.9)
Version 1.91.2
--------------
Released: 2026-04-01
- Feature: Skip the systemd inhibitor when performing CriticalPowerAction (!309)
- Feature: Introduce "Auto" CriticalPowerAction using systemd-logind Sleep() (!309)
- Fix: Test CanPowerOff() availability before calling PowerOff() (!311)
- Fix: Add charge limit support for systems providing only charge_control_end_threshold (!310, #342, #285)
Version 1.91.1
--------------
Released: 2026-02-10
- Fix: a resource leak (!294)
- Fix: a NULL exception caused by a Non-NULL GError pointer (!295, #331)
[31 lines not shown]
glib2: avoid false g_module_symbol() failures on NetBSD
On NetBSD, do not turn a non-NULL dlsym() result into a
g_module_symbol() failure only because dlerror() has a non-NULL value.
POSIX specifies that it is implementation-defined whether dlerror()
is thread-safe:
https://pubs.opengroup.org/onlinepubs/9799919799/functions/dlerror.html
as already noted in gmodule-dl.c comments.
On NetBSD, dlerror(3) state is process-global and not thread-safe,
so a non-NULL dlerror() value is not a reliable reason to reject
a non-NULL dlsym() result. Marking dlerror() as not thread-safe
in GLib by DLERROR_IS_THREADSAFE=0 would only serialize GLib's
own dynamic linker calls and would not protect against dynamic
linker calls made outside GLib.
POSIX also specifies that dlsym() returns a null pointer if the
symbol cannot be found. However, glibc documents cases where
[8 lines not shown]
Provide defaults for VM_PHYSSEG_MAX, VM_PHYSSEG_STRAT (single segment),
VM_NFREELIST, and VM_FREELIST_DEFAULT (single freelist).
Achievement unlocked: some platform <machine/vmparam.h> files are now just
simple wrappers around <m68k/vmparam.h> (and a few more are *very* close).
Centralize the definition of VM_PHYS_SIZE. While doing so, change
the logic for its value, eliminating the obsolete USRIOSIZE constant.
Previously, on Utah-derived platforms, USRIOSIZE was defined as the
number of PTEs used for phys_map, and VM_PHYS_SIZE was USRIOSIZE * PAGE_SIZE.
The USRIOSIZE was in turn derived from NPTEPG (number of PTEs in one page).
On 4K page systems, that was a 4MB phys_map. On 8K page systems, that
was a 16MB phys_map (4x muliplier comes from 2x PTEs per page, 2x bytes
per page mapped). These values are totally excessive; the most pressure
phys_map experiences on a typical system is boot-time fsck, and the max
mapping request it will see is MAXPHYS (64KB); it is generally not used in
steady-state operation. In contrast, alpha's phys_map is 512KB and 32-bit
x86 is ~1MB.
Instead, simply define reasonable values for VM_PHYS_SIZE independent of
PAGE_SIZE: 256KB for 68010, 1MB for everone else. Per-platform constraints
can override these values (although they happen to match what Sun2 and Sun3
use, respectively).
[3 lines not shown]
graphics/lcms2: Explain upstream's (very unclear) cmake status
I asked upstream a bunch of questions just now. For now, avoid
jumping to cmake because 1) upstream hasn't said it's baked and 2)
usually new cmake systems have regressions and this one hasn't been
tested.
py-test-order: updated to 1.4.0
1.4.0
Allows the plugin to run after `--failed-first` and similar options.
Changes
* removed official support for Python 3.7-3.9 (EOL), added Python 3.13 and 3.14
New features
* added option `--order-after-ff`, that allows to run `pytest-order` after built-in hooks
like the `--failed-first` option
Infrastructure
* use trusted publisher for release (see https://docs.pypi.org/trusted-publishers/)
* use `pyproject.toml` for project setup
Documentation
* use a theme for documentation supporting dark mode
* added use case for ordering test modules
* fixed documentation for `--indulgent-ordering` option
py-test-codspeed: updated to 4.5.0
4.5.0
Internals
Pre-build macos binary
Bump instrument-hooks submodule to use int32_t as pid
Add macos integration test
graphics/lcms: Drop MAINTAINERship
(Note that this is lcms-1, last released in 2009. It is a deletion
candidate, but there are multiple (surely unmaintained) packages
depending on it.)
mimalloc: updated to 3.3.2
3.3.2
various bug and security fixes through LLM audit (by @Zoxc). Only increase
minimal purge size automatically if allow_thp is set to 2. Enable large OS
alignment on all platforms (fixing OS large pages on Windows). Fix accounting
of committed memory on Linux/macOS. Update MSVC atomics implementation when
using C mode. Upstream Emscripten fixes. Proper atomic do-once implementation.